Apache · Apache Superset · CVE-2025-48912
**Name of the Vulnerable Software and Affected Versions**
Apache Superset versions prior to 4.1.2
**Description**
An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into `sqlExpression` fields. This allowed the execution of sub-queries to evade parsing defenses, ultimately granting unauthorized access to data.
**Recommendations**
For Apache Superset versions prior to 4.1.2, update to version 4.1.2 to resolve the issue. As a temporary workaround, consider restricting access to the `sqlExpression` fields to minimize the risk of exploitation.